Method for protecting the audio/visual data across the NRSS interface

ABSTRACT

A system for enhancing the security of the interface between a consumer electronic device and a removable security device is provided by protecting the audio/visual (A/V) stream descrambled in the removable security device. The protection involves dynamically computing a shared key followed by the rescrambling of the A/V stream.

This application claims benefit of Provisional applications No.60/069,090, filed Dec. 10, 1997 and No. 60/086,567 filed May 21, 1998.

FIELD OF THE INVENTION

This invention concerns a system for enhancing the security of theinterface between a consumer electronic device and a removable securitydevice such as the interface defined by the National Renewable SecurityStandard (NRSS). Security is enhanced by protecting the audio/visual(A/V) stream that is descrambled by the removable security device, suchas a smart card, coupled to the consumer electronic device. Examples ofconsumer electronic devices employing the NRSS smart cards includedigital television receivers, digital video cassette recorders as wellas separate devices or “boxes” that may be located on top of, or coupledto, a television receiver, i.e., set-top boxes.

BACKGROUND OF THE INVENTION

A concern of today's emerging digital consumer electronic products isthe ability to access a plaintext (i.e., in-the-clear) digital bitstreamthereby permitting one to make unauthorized digital copies of thebitstream. The National Renewable Security Standard (NRSS) (EIA-679)developed by the Electronic Industries Alliance provides a means foremploying renewable security in connection with digital consumerelectronics (CE) devices, for example, digital television receivers,digital video cassette recorders and set-top boxes. Renewable securityallows for the development of conditional access systems that can bereplaced, upgraded or recovered with minimum cost and effort.

Typically, a service provider will scramble (or encrypt) the signalbefore it is transmitted or broadcast. A conditional access (CA) device(e.g., an NRSS smart card) may be used to descramble (or decrypt) thesignal and route it to the host device. However, a problem with the NRSSarchitecture is that the audio/visual (A/V) stream is sent to the hostdevice (for example, a display device or a set top box) from the smartcard in-the-clear. That is, the A/V stream is not scrambled when itleaves the CA device. Thus a person can monitor this line and use a datacapturing device to record all the data.

SUMMARY OF THE INVENTION

This invention resides, in part, in recognition of the described problemand, in part, in providing a solution to the problem. Generally, thepresent invention defines a method for protecting the outputaudio/visual (A/V) stream of a smart card by receiving a scrambledsignal from a source external to said smart card, generating adescrambling key in response to said received signal, descrambling saidreceived signal using said descrambling key to generate a descrambledsignal, receiving data from said external source, generating ascrambling key in response to said received data, scrambling saiddescrambled signal using said scrambling key to generate a rescrambledsignal, providing said rescrambled signal to said external source.

In accordance with one aspect of the present the received data is ascrambling key encrypted using a public key associated with said smartcard and wherein the step of generating said scrambling key comprisesdecrypting said encrypted scrambling key using a private key associatedwith said smart card, said private key being stored in said smart card.

In accordance with one aspect of the present invention, the scramblingkey comprises a seed value and the step of scrambling the descrambledsignal generating a random sequence in response to the seed value, andgenerating the rescrambled signal by exclusive ORing said randomsequence and said descrambled signal.

In accordance with another aspect of the present invention, the receivedscrambled signal comprises video, audio and control packets and the seedvalue is generated, in the external source, in a unique manner inresponse to said video, audio and control packets.

In accordance with another aspect of the present invention, the smartcard verifies the seed value by comparing the seed value to a subsequentseed value generated in the unique manner in response to the video.audio and control packets.

In accordance with yet another aspect of the present invention. the seedvalue is generated utilizing one of the hash of video, audio and controlpackets or by exclusive ORing said video, audio and control packetstogether.

In accordance with yet aspect of the present invention, a first seedvalue is generated in the smart card and the received data is a secondseed value. The step of generating said scrambling key comprisesgenerating said scrambling key in response to said first and second seedvalues.

In accordance with yet aspect of the present invention, a system formanaging access between a service provider and a host device having asmart card coupled is provided. The host device performing the steps of:receiving a scrambled signal from the service provider, sending, to thesmart card, a seed value generated in the host device and encryptedusing a public key of the smart card, coupling the received signal tothe smart card, and receiving from the smart card the rescrambledsignal. The smart card has a means for access control processing,comprising means for generating a descrambling key in response to thereceived signal, means for descrambling the received signal using thedescrambling key to generate a descrambled signal, means for decryptingthe encrypted seed value using a private key of the smart card toprovide the seed value, means for generating a random sequence inresponse to the seed value and means for scrambling the descrambledsignal using the random sequence and the descrambled signal to generatea rescrambled signal.

These and other aspects of the invention will be explained withreference to a preferred embodiment of the invention shown in theaccompanying Drawings.

BRIEF DESCRIPTION OF THE DRAWING

FIG. 1 is a block diagram of an exemplary implementation of a system forenhancing the security of the interface between a consumer electronicdevice and a renewable security device in accordance with the invention;and

FIG. 2 is a scnematic block diagram illustrating the signal flow of FIG.1.

DETAILED DESCRIPTION OF THE DRAWINGS

When a conditional access (CA) device (or a smart card (SC)) receives atransmitted or broadcast signal (i.e., a program or event) that isscrambled (or encrypted), the CA device may be used to descramble (ordecrypt) the signal. The National Renewable Security Standard (NRSS)provides a means for implementing renewable security in connection withsmart cards employed with digital consumer electronics (CE) devices,such as, digital television receivers (DTV), digital video cassetterecorders (DVCR) and separate devices or “boxes” that may be located ontop of, or coupled to, a television receiver. i.e., set-top boxes (STB).A potential problem with the NRSS architecture is that the audio/visual(A/V) stream is not scrambled when it leaves the smart card. Thisprovides a point in which the security of the CA system could bebreached because one could monitor and tap the output of the smart cardand use a data capturing device to record all the plaintext data. Thepresent invention provides an improvement to protect the connectionbetween the smart card and the CE device. Such smart cards include ISO7816 cards having a card body with a plurality of terminals arranged ona surface in compliance with National Renewable Security Standard (NRSS)Part A or PCMCIA cards complying with NRSS Part B.

In FIG. 1, a system 10 for protecting the A/V stream of CE device 100which employs NRSS smart card (SC) 200 is depicted. Such CE or hostdevices 100 include DTVs, DVCRs or STBs. Smart Card 200 is insertedinto, or coupled to, a smart card reader 105 included in, or coupled to,host device 100; bus 150, internal to host device 100, interconnectshost device 100 and SC 200 thereby permitting the transfer of datatherebetween. Host device 100 is connected to a cable, satellite orbroadcast service provider (SP) 300 via a link 350. The protectionsystem of the present invention will be described in relation to system10 as shown in FIGS. 1 and 2.

For the protection of the NRSS interface (i.e., the return path), A/Vdata processing in accordance with this invention include rescramblingthe plaintext A/V data in the smart card. A requirement of consumerelectronic manufacturers for the design of a CA system is to avoid thepermanent storage of any secrets in the host device. Thus, therescrambling key cannot be exchanged using an architecture where aprivate or a shared secret key is embedded in the host. The rescramblingkey should be dynamically established without modifying the presentsmart t card architecture drastically. A dynamic key is one that isgenerated on-the-fly in real-time and is not fixed. Periodic (forexample, every ten seconds) generation of new keys is normally needed toincrease the robustness against cryptanalytic attacks.

Two key establishment protocols can be considered for this purpose:

1) A key transport protocol (e.g., public-key encryption): One partycreates the key to be shared, and securely sends it to the other.

2) A key agreement protocol (e.g., Diffie-Hellman): The shared key isderived by two parties as a function of data contributed by each ofthem.

The key that is shared between the smart card and the host can be usedin a number of ways to scramble the A/V stream before it is sent back tothe host. For example, block ciphers may be considered for rescrambling.Since the DES algorithm i s typically used for descrambling the incomingAn stream, it could be used for rescrambling the signal. However, such acomplex cipher engine in the host device would increase themanufacturing cost and complexity.

Synchronous stream ciphers are appropriate for rescrambling. Asynchronous stream cipher is one in which the key stream is generatedindependently of the plaintext and ciphertext messages. Although thedesign of most practical stream ciphers is centered around linearfeedback shift registers (LFSRs) (because they are well-suited forhardware implementations, produce sequences with large periods and goodstatistical properties and are amenable for analysis), there is avariety of other approaches.

The key generator 110 can be initialized with the shared key to obtainthe random sequence. The frequency of renewing the seed is animplementation dependent parameter. The seed will, in general, bedifferent for each renewal, thus resulting in dissimilar randomsequences for discouraging cryptanalytic attacks. The generalarchitecture of such a system is shown in FIG. 2.

Particularly, this invention, in one embodiment, provides for thedynamic generation of a key within the host device 100 utilizing an RSA(Rivest, Shamir and Adelman) engine. This key is shared with SC 200 andis used to rescramble the audio/visual (A/V) stream prior to it leavingthe SC 200. Both the host device 100 and SC 200 contain RSA engines forencryption and decryption. An RSA engine may be implemented using aco-processor (i.e. a microprocessor). Since the public key of the smartcard is available to the host device as well as to the serviceproviders, it can be used by the host to encrypt a scrambling key beforeit is sent to the smart card.

The protocol using the RSA public key system involves the encryption ofthe dynamic key in host device 100 using the public key of smart card200. The encrypted dynamic key is transmitted to smart card 200 and isdecrypted using the private key of the smart card. This is an asymmetrickey system, wherein only public keys are stored in the STB or DTV orDVCR. That is, the device does not store or contain any secrets (i.e.,private keys). The foundation of public-key cryptography is the use oftwo related keys, one public and one private; the private key beingcomputationally unfeasible of being deduced from the public key which ispublicly available. Anyone with a public key can encrypt a message butonly the person or device having the associated and predeterminedprivate key can decrypt it.

In another embodiment of the present invention, both host device 100 andSC 200 have Diffie-Hellman engines to generate a shared key. Neitherhost device 100 nor SC 200 can alone generate the key. A first seedvalue generated in SC 200 is sent to host device 100 and a second seedvalue generated in host device 100 is sent to SC 200. Together, hostdevice 100 and SC 200 generate the shared key.

Both of the key establishment protocols are subject to attacks if thehost device participating in the key generation is not authenticated. Animprovement is possible by generating the shared seed as a function ofthe transport stream transmitted to the card in an initial time period.As the audio/video packets are scrambled, and the Entitlement ControlMessages (ECMs) are encrypted, they can be used as functional arguments.This can provide implicit key authentication.

For example, if both host device 100 and smart card 200 have RSAengines, and the host has a copy of the card's public key, K_(pubSC),the host can construct the seed using a function of the video, audio,and ECM packets:

Shared seed:(random number|f(A, V, ECM))

As an another example, if both host device 100 and smart card 200 haveDiffie-Hellman engines and they exchange the keys α^(x) and α^(x), theexponent x can be constructed using a function of the video, audio andECM packets:

(α^(random number), α^(f(A, V, ECM))), where x=(random number+f(A,V,ECM)

In both examples, the smart card 100 computes the same functional valueindependently and compares it with that sent by the host. Thiseffectively provides host authentication, preventing the intruders fromimpersonating the host.

The function f=f(A, V, ECM) can be defined in a number of ways. Twopossible definitions are:

1) f=hash (A, V, ECM)

2) f=A xor V xor ECM

Note that these definitions may include more than three packets. Thenumber and positions of the A, V, and ECM packets in the stream are alsoa part of the function definition.

A one-way hashing algorithm, such as MD5 developed by Ron Rivest orSHA-1 developed by the National Institute of Standards and Technology(NIST) and the National Security Agency (NSA) may be used to determinethe hash function “f”.

For more security, the seed needs to be renewed periodically. Renewal ispossible by recomputing the function for each time interval. Forexample, the first packet encountered in each of the A, V, and ECMsubstreams in every 30 seconds can be used in generating a new keystream for scrambling. Alternatively, packets can be numbered forsynchronization between the host and the card.

Generation of the shared seed as a function of the transport streammakes the attacks on the proposed key establishment protocols moredifficult. This does not require additional cryptographic tools. As thetransport stream is shared by the host and the card, it can be used withminimal computation to implicitly authenticate the host.

This invention provides protection against copying of copyrighted A/Vstreams in transmission to the host. The modified key establishmentprotocols can be used to prevent active attacks. Thus, if the key isdefined to be a function of the MPEG-2 transport stream (i.e., servicepackets and ECMs), the hacker would also need to access the stream andextract the required data out of it.

While the invention has been described in detail with respect tonumerous embodiments thereof, it will be apparent that upon a readingand understanding of the foregoing, numerous alterations to thedescribed embodiment will occur to those skilled in the art and it isintended to include such alterations within the scope of the appendedclaims.

What is claimed is:
 1. A method for protecting the output audio/visualstream of a smart card comprises the steps of: (a) receiving a scrambledsignal from a source external to said smart card; (b) generating adescrambling key in response to said received signal; (c) descramblingsaid received signal using said descrambling key to generate adescrambled signal; (d) receiving data from said external source; (e)generating a scrambling key in response to said received data; (f)scrambling said descrambled signal using said scrambling key to generatea rescrambled signal; and, (g) providing said rescrambled signal to saidexternal source.
 2. The method of claim 1 wherein said received data isa scrambling key encrypted using a public key associated with said smartcard and wherein the step of generating said scrambling key comprisesdecrypting said encrypted scrambling key using a private key associatedwith said smart card, said private key being stored in said smart card.3. The method of claim 2 wherein said scrambling key comprises a seedvalue and wherein the step of scrambling said descrambled signalcomprises the steps of: (a) generating a random sequence in response tosaid seed value; and (b) generating said rescrambled signal by exclusiveORing said random sequence and said descrambled signal.
 4. The method ofclaim 3 wherein said received scrambled signal comprises video, audioand control packets and said seed value is generated, in said externalsource, in a unique manner in response to said video, audio and controlpackets.
 5. The method of claim 4 wherein said smart card verifies saidseed value by comparing said seed value to a subsequent seed valuegenerated in said unique manner in response to said video, audio andcontrol packets.
 6. The method of claim 5 wherein said seed value isgenerated utilizing said hash of video, audio and control packets. 7.The method of claim 5 wherein said seed value is generated by exclusiveORing said video, audio and control packets together.
 8. The method ofclaim 1 wherein said smart card has a card body having a plurality ofterminals arranged on a surface of said card body in accordance with oneof ISO 7816 and PCMCIA card standards.
 9. The method of claim 1 furthercomprising the step of generating, in said smart card, a first seedvalue, and wherein said received data is a second seed value.
 10. Themethod of claim 9 wherein the step of generating said scrambling keycomprises generating said scrambling key in response to said first andsecond seed values.
 11. The method of claim 10 wherein said scramblingkey comprises a seed value and wherein the step of scrambling saiddescrambled signal comprises the steps of: (a) generating a randomsequence in response to said seed value; and (b) generating saidrescrambled signal by exclusive ORing said random sequence and saiddescrambled signal.
 12. The method of claim 11 wherein said receivedscrambled signal comprises video, audio and control packets and saidfirst and second seed values are generated in a unique manner inresponse to said video, audio and control packets.
 13. The method ofclaim 10 wherein said first and second seed values are generatedutilizing said hash of video, audio and control packets.
 14. Thecombination of claim 10 wherein said first and second seed values aregenerated by exclusive ORing said video, audio and control packetstogether.
 15. A system for managing access between a service providerand a host device having a smart card coupled thereto, said host deviceperforming the steps of: (a) receiving a scrambled signal from saidservice provider; (b) sending, to said smart card, a seed valuegenerated in said host device and encrypted using a public key of saidsmart card; (c) coupling said received signal to said smart card, saidsmart card having a means for access control processing, said accesscontrol processing means comprising means for generating a descramblingkey in response to said received signal, means for descrambling saidreceived signal using said descrambling key to generate a descrambledsignal, means for decrypting said encrypted seed value using a privatekey of said smart card to provide said seed value, means for generatinga random sequence in response to said seed value and means forscrambling said descrambled signal using said random sequence and saiddescrambled signal to generate a rescrambled signal; and (d) receivingfrom said smart card said rescrambled signal.
 16. The system of claim 15wherein said public key is stored in said host device and said privatekey is stored in said smart card.
 17. The system of claim 16 whereinsaid host device is one of a digital television, a digital videocassette recorder and a digital set-top box.
 18. A system for managingaccess between a service provider and a host device having a smart cardcoupled thereto, said host device performing the steps of: (a) receivinga scrambled signal from said service provider; (b) sending, to saidsmart card, a second seed value; (c) coupling said received signal tosaid smart card, said smart card having a means for access controlprocessing, said access control processing means comprising means forgenerating a descrambling key in response to said received signal, meansfor descrambling said received signal using said descrambling key togenerate a descrambled signal, means for generating a first seed value,means for generating a scrambling key in response to said first andsecond seed values, and means for scrambling said descrambled signalusing said scrambling key to generate a rescrambled signal; and (d)receiving from said smart card said rescrambled signal.
 19. The systemof claim 18 wherein said host device is one of a digital television, adigital video cassette recorder and a digital set-top box.